Indeed, Equifax managed to compound the severity of its breach by also storing plaintext copies of users' passwords in a plaintext file, when its own cryptographic standards stated that passwords should only ever be stored in encrypted, hashed, masked, tokenized or other approved formats.

Credit Bureau Profits From Consumer Data

But the security failure at Equifax is especially egregious, given that it generates massive profits from buying, sharing and selling personal information - often without individuals' knowledge - but still failed to have the right resources in place to ensure that it was also securing this sensitive information.

Some privacy and security experts point out that many consumers would never have known that the company was acquiring, selling or storing their personal details.

"Equifax Ltd. showed a serious disregard for their customers and the personal information entrusted to them," U.K. Information Commissioner Elizabeth Denham said last week. "Many of the people affected would not have been aware the company held their data; learning about the cyberattack would have been unexpected and is likely to have caused particular distress."

Denham helms the Information Commissioner's Office, which is the U.K.'s data protection authority responsible for enforcing the country's privacy laws.

Password Security Failures

In the 32-page monetary penalty notice (PDF) issued against Equifax last week, the ICO cites a long list of failures at Equifax that contributed to the breach. Those failures include Equifax creating a "GCS dataset" - for Global Consumer Services - that attackers compromised, which contained 14,961 U.K. "data subjects' name, address, date of birth, username, password (in plaintext), secret question and answer (in plaintext), credit card number (obscured) and some payment amounts."

The ICO notes that the compromised data was being stored in a plaintext file labeled as being the "Standard Fraud Daily" report, which Equifax said was designed to be a "snapshot in time" of the GCS data.

"The file was held in a fileshare, which was accessible by multiple users - including system administrators and middleware technicians - for the purposes of maintenance and/or the release of application code. The file contained 'live' data taken from the GCS dataset which was created for testing purposes, with the intention of eventually sending it to Equifax Ltd.'s Fraud Investigations Team in the U.K.," the ICO says. "Equifax Ltd has stated that the file was used in order to perform password analysis for the purposes of fraud prevention."

But the ICO said this was not a valid reason for Equifax having failed to secure the data. "The commissioner has seen no adequate evidence or explanation indicating that this was a valid reason for this data not being processed in accordance with Equifax's data handling and cryptography standards, particularly given the existence of several other fraud prevention techniques in use at the time, none of which required personal data to be stored in plaintext form," the ICO says.

The privacy watchdog also notes "that Equifax has subsequently ceased the practice of storing passwords in plaintext whilst still being able to achieve its fraud prevention aims."

Excerpt from the ICO's monetary penalty notice against Equifax

Channel 'Lorem Ipsum'

In this day and age, there is no excuse for developers to be using live data in testing environments.

Substituting fake but lookalike data isn't a new concept. Arguably, it dates from the heady "greeking" days of the 1500s, when printers and typesetters began using "lorem ipsum" - nonsensical Latin - as placeholder text.

Enter the digital age: Developers need to ensure that when users enter a value into a 16-digit credit card field, for example, their application handles it correctly. But playing with live data in production environments increases the risk that insiders or outsiders who shouldn't be seeing the data might have access to it.

That's why numerous development tools offer the ability to obfuscate and mask live data, as well as to generate "good enough" test data that developers can use instead.

European IT market researcher Bloor Research notes that such tools are available from a variety of vendors, including CA, Compuware, Dataprof, Dataguise, Delphix, HPE, IBM, Imperva Camouflage, IMS Privacy Analytics, Informatica, Mentis, Net 2000, Protegrity and Solix.

Equifax Failed to Obtain Consent

Equifax compounded its data security and privacy failures by not only storing plaintext passwords and security questions and answers in a plaintext file, but also not obtaining users' consent for doing so.

Under the U.K.'s Data Protection Act, data subjects must give "specific and informed indication" of the ways in which they will allow their data to be processed.

The ICO asked Equifax why it had failed to obtain consent from users to store their plaintext passwords and security questions and other data in a plaintext file.

"Equifax suggested that informing data subjects that their passwords would be stored in plaintext form would have created a security risk," the ICO says. "The commissioner's view is that this type of processing activity was an inappropriate security risk, particularly given the state of the art and costs of implementation as regards appropriate technical measures to protect personal data, the resources available to an organization of Equifax's size, and the nature of the processing it undertook."

The ICO's penalty notice cites some of these same failures, including Equifax having failed to renew a digital certificate for more than a year, which left one of its network scanning tools unable to scan encrypted traffic for signs of malicious activity. That turned out to be how attackers exfiltrated stolen data from Equifax starting in May 2017, as Equifax discovered in July 2017 after it renewed the certificate and the tool began working again.

Taking these and other failures into account, the ICO last week imposed the maximum possible fine on Equifax.

Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).

Under the previous data protection laws, however, the maximum - and levied - fine facing Equifax was just £500,000 ($660,000), or 0.02 percent of the company's 2017 annual global revenue of $3.4 billion.

Few Repercussions in U.S.

While Europe continues to crack down on companies that fail to properly secure private data, many information security experts say the U.S. lags.

Information assurance trainer William Hugh Murray says big credit bureaus such as Equifax should be held to a higher standard of security, given the types of PII they handle.

"One should not be surprised by this [Equifax] breach scenario," Murray says. "Few breaches are rooted in a single failure. However, these were all failures of essential practices, ones that would be expected of any business, much less one that deals in purloined data about all citizens."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.